disabled smbk5pwd, new parammter starttls, disable lgoin for members of NOLOGIN

Modified to use group of members, some access rights added
Activated syncrepl
2021-05-31 15:06:55 +02:00 · 2021-05-28 20:27:13 +02:00 · 2020-09-11 09:04:56 +02:00
1 changed files with 64 additions and 30 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -11,6 +11,7 @@ class wmdeit_ldap (
 	$database,
 	$rootdn, 
 	$rootpw,
+	$starttls = "no",

 	$serverid, 
 	$simple_bind_tls = "128",
@ -25,6 +26,7 @@ class wmdeit_ldap (
 		"rfc2307bis",
 		"krb5-kdc",
 		"samba",
+		"ppolicy",

 #		"samba",
 #		"nis",
@ -79,26 +81,39 @@ class wmdeit_ldap (
 			"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
 			'by * break'
 		],
+		# System rights for members of Adm group
+		'2 to *' => [
+			"by set=\"user & [cn=Adm,ou=Groups,ou=System,$database]/member\" write",
+			'by * break'
+		],
+		# System rights for members of Adm group
+		'3 to *' => [
+			"by set=\"user & [cn=ReadOnlyAdm,ou=Groups,ou=System,$database]/member\" read",
+			'by * break'
+		],
+
 		# let users modify their passwords, and disable read acess to all others
-		'2 to attrs=userPassword' => [
+		'4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
+#		'4 to attrs=userPassword' => [
 			"by self write",
 			"by anonymous auth",
 			"by * none",
 		],
 		# let users read all
-		'3 to attr=entry,objectClass,givenName,cn,displayName' => [
+		'5 to attr=entry,objectClass,givenName,cn,displayName' => [
 		        "by anonymous break",	
 			"by * read",
 		],
-		"4 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
+		# let anonymous users list uids
+		"6 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
 		        "by anonymous read",
 			"by * break",
 		],
-		'5 to *' => [
+		# deny access to anything else
+		'7 to *' => [
 		        "by * none",	
 		]

-
 	},

 ){
@ -119,6 +134,10 @@ class wmdeit_ldap (
 	openldap::server::module { 'syncprov':
 		ensure => present,
 	} 
+#	openldap::server::module { 'ppolicy':
+#		ensure => absent,
+#	}  
+


 	package { "heimdal-kdc": 
@ -131,7 +150,6 @@ class wmdeit_ldap (
 		ensure => present,
 	}  

-
 	class { 'openldap::server': 
 		ssl_ca => "$cacert",
 		ssl_cert => "$pubcert",
@ -141,7 +159,7 @@ class wmdeit_ldap (

 	# delete all schema and databases created by default during installation
 	# This is some kind of a dirty hack because we use 
-	# in before => and irequire => some internal classes of module openldap 
+	# in "before =>" and "require =>" some internal classes of module openldap 
 	exec { 'wmdemanaged':
 		before => Class['::openldap::server::config'],
 		require => Class['::openldap::server::install'],
@ -194,7 +212,6 @@ class wmdeit_ldap (
 #		value   => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
 #	}

-
 #	openldap::server::globalconf { 'TLSCertificateKeyFile':
 #		ensure  => present,
 #		value   => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
@ -259,14 +276,23 @@ class wmdeit_ldap (

 	
 	# Build list of syncrepl-entries, store it in $syncrepl
-#	if !empty ($syncrepl_providers) {
-#		$mirrormode=true
-#		$syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
-#			$i = $index+1
-#			"rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
-#		}
-#	}
+	if !empty ($syncrepl_providers) {
+		$mirrormode=true
+		$syncrepl = $syncrepl_providers.map |Integer $index, $provider| {
+			$i = $index+1
+			"rid=00$i provider=${provider[proto]}://${provider[host]}:${provider[port]} binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" scope=sub attrs=\"*,+\" filter=\"(objectClass=*)\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=$starttls retry=\"3 60 6 300 30 +\" timeout=1"
+		}
+		$syncrepl_providers.each |Integer $index, $provider| {
+			if $provider[ip] {
+				host{"host_$index":
+					name => $provider[host],
+					ip => $provider[ip],
+					ensure => present,
+				}
+			}
+		}

+	}

 	# create the main database
 	openldap::server::database { "$database":
@ -274,21 +300,29 @@ class wmdeit_ldap (
 		ensure => present,
 		rootdn => $rootdn,
 		rootpw => $rootpw,
-#		syncrepl => $syncrepl,
+		syncrepl => $syncrepl,
 		mirrormode => $mirrormode,
 	} 
 	->
 	openldap::server::overlay { "memberof on $database":
 		ensure => present,
+		options => {
+			'olcMemberOfGroupOC' => 'groupOfMembers'
+		}
 	} 
-#	-> 
-#	openldap::server::overlay { "syncprov on $database":
-#		ensure => present,
-#	} 
 	-> 
-	openldap::server::overlay { "smbk5pwd on $database":
+	openldap::server::overlay { "syncprov on $database":
 		ensure => present,
 	} 
+	->
+#	openldap::server::overlay { "smbk5pwd on $database":
+#		ensure => present,
+#	} 
+
+#	openldap::server::overlay { "ppolicy on $database":
+#		ensure => absent,
+#	}
+

 #	$acls.each |Integer $i, $acl | {
 #		notify{"Set ACL $i $acl":}
Author	SHA1	Message	Date
Tobias Herre	12369da5ab	disabled smbk5pwd, new parammter starttls, disable lgoin for members of NOLOGIN	2021-05-31 15:06:55 +02:00
Tobias Herre	c396989424	Modified to use group of members, some access rights added	2021-05-28 20:27:13 +02:00
Tobias Herre	726a33a0bf	Activated syncrepl	2020-09-11 09:04:56 +02:00